Iranian hackers get fake HTTPS certs

On March 15th, an HTTPS/TLS Certificate Authority (CA) was tricked into
issuing fraudulent certificates that posed a dire risk to Internet
security. Based on currently available information, the incident got close
to — but was not quite — an Internet-wide security meltdown. As this post
will explain, these events show why we urgently need to start reinforcing
the system that is currently used to authenticate and identify secure
websites and email systems.

http://www.eff.org/deeplinks/2011/03...audulent-https

--
Bear Bottoms
Owner http://bearware.info

["Followup-To:" header set to alt.computer.security.]
On 2011-03-27, Anonymous <nobody@remailer.paranoici.org> wrote:
> Anonymous <cripto@ecn.org> wrote:
>> > On March 15th, an HTTPS/TLS Certificate Authority (CA) was tricked into
>> > issuing fraudulent certificates that posed a dire risk to Internet
>> > security.
>> What exactly would having these certificates allow them to do?
>
> Posing as mail.google.com, www.google.com, login.yahoo.com,
> login.skype.com, and others.

Especially useful if you are say the government of some country with
"opposition problems" and you want to keep track of their use of things
like google searches, skype calls, etc.

>